Study finds the majority of Android VPNs do not protect user security and privacy

A newly published study has found that the majority of Android VPN apps do not protect the security and privacy of their users in any meaningful way.

The study, titled “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,” was completed by a team of researchers from Australia’s Commonwealth Scientific and Industrial Research Organization, the University of South Wales and the University of California at Berkeley. To compile its report, the group examined the source code and networking behaviour of 283 VPNs available to download from the Google Play store.

Some of the study’s more damning findings include the revelation that 18 percent of surveyed apps do not feature end-to-end encryption, meaning they leave their users open to man-in-the-middle hacking attempts.

The study also found that 66 percent of Android VPN apps leak domain name system data, which gives third parties the opportunity to monitor and manipulate traffic coming from behind those apps.

Another 38 percent of VPN apps included code that was considered malicious by VirusTotal, a Google-owned tool that aggregates anti-virus definitions from more than 100 other antivirus apps.

Perhaps most disheartening is the fact that of 67 percent of apps that list enhanced privacy as one of their selling points, 75 percent of them use third-party tracking to monitor a user’s online usage.

“Our results show that — in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps,” say the report’s authors. “Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains terra incognita even for tech-savvy users.”

If you’re reading this looking for a recommendation, the study’s authors highlighted a single app they thought was worth downloading: F-Secure Freedome VPN.

But……Google Play Store. If you stick to Google Play and avoid third party stores you’ll be safe from malware or other misbehaving Apps.

Igor Bonifacic

All the apps included in the study were downloaded from Google Play. I sometimes call the official store Google Play store to enhance the flow of a sentence.

ciderrules

I was being sarcastic. Android users always used to brag about their ability to choose their store of choice, unlike Apple which restricts you to their store (walled garden). Once third party stores became filled with malware and other scams those same Android users now tell people to stick to Google Play to avoid these problems.

Oh how times have changed.

Shogun

Typical nonsense from an Apple fanboy. Fact is that people can use APK’s to download and install their own apps to an Android device and are not FORCED to buy or acquire one through the Play Store. Perhaps that point is what is missing for you given your religious adherence to a brand that doesn’t allow any of this and not only forces you buy content through their App store but also goes on to restrict the ability of the customer to buy additional content within that app. Such as books on Kindle (Apple prefers you buy from their iBooks) or a music subscription through Spotify instead of Apple Music. It’s one of the most restrictive and ridiculous ecosystems out there compared to any notion that Android is the same.

p.s. Apple’s iOS updates also seem to have the effect of rendering some VPN’s apps useless until the developer is forced to come out with further updates to correct whatever Apple is doing to prevent users from using this feature either.

Shogun

Sounds more like a study aimed at discrediting other VPN’s in favour of promoting another. Not to be taken too seriously.

It’s Me

That would be a convenient excuse to help some people feel better about their lack of security, but the fact is that it was an academic study. There is nothing there that makes it sound like it was meant to promote a specific vendor, other than it recognized that one actually works and didn’t put you further at risk.

In the end, most people that use VPNs don’t really understand how they work, what protection they are supposed to provide and, importantly, what risks they could introduce. These vulnerabilities and malware/ad-ware trojans could affect iOS apps just as much as Android, just depends on how much work the devs want to put into obfuscating what they are doing. Always on end-to-end encryption is a better protection for communications.

Shogun

Personally I use a VPN for streaming content that is geo-blocked so from that standpoint that’s what I see its uses for. If however people are going to roam around and use public Wi-Fi to conduct sensitive communications and transactions then I wouldn’t necessarily rely on a VPN app anymore than just the basic network for protection.

Jason

That’s why you always have to do research, even for desktop ones. Many of the free and super cheap ones just don’t offer the protection. Even if you have a VPN it can be hard to confirm if you safe because there’s no visual indication other than “connected”